The RBAC model defines three basic rules:
Additionally, transformation procedures, objects and access modes can be separated, and an access function can define, which role executing which transaction may access which objects with which access modes.
In [FeCuKu95], the term operation is introduced, which denotes an access with a certain mode to a set of objects. Roles are then authorized for operations and no longer for transactions or transaction procedures. Also, users are distinguished from subjects. A subject is an active entity, performing operations on behalf of one user at a time, and has a set of active roles, for which the user must be authorized.
Roles may be members of other roles, so that membership in a subrole implies the membership in all parent roles, including all their authorizations. The possible membership in several roles requires the definition of mutual exclusion to preserve separation of duty, i.e., pairs of roles which may not share the same member or, in the revised model, which may not be activated at the same time by the same subject.
Finally, the RBAC model defines static and dynamic capacities of roles, the first being the maximum number of members, the latter the maximum number of subjects having the role activated.
In [Ferraiolo+2001], a NIST standard for RBAC models has been proposed. It adds the notion of user sessions, which allow to selectively activate or deactivate roles within a session. All RBAC features are grouped into Core RBAC, which contains the basic functionality, Hierarchical RBAC to define role hierarchies and Constrained RBAC with Static and Dynamic Separation of Duty Relations. All RBAC separation of duty relates to what roles from the assigned set of roles can be used by a single user at the same time. Of this, mutual exclusion is only a subset.